feat: SBOM artifacts (#89)

DerekRoberts · web-flow · commit 2e7145d14b6f · 2025-06-10T18:15:11.000-07:00
diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml
@@ -35,35 +35,8 @@ jobs:
             exit 1
           fi
 
-  # Anything can be retagged if a fallback image exists (e.g. test)
-  retag:
-    needs: [build]
-    name: Retag
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@v4
-      - id: retag
-        uses: ./
-        with:
-          package: backend
-          keep_versions: 10
-          repository: bcgov/quickstart-openshift
-          tags: ${{ github.event.number }}-retag
-          tag_fallback: test
-          triggers: ('backend/')
-
-      - if: steps.retag.outputs.triggered != 'false'
-        run: |
-          # Verify outputs
-          echo "Outputs: ${{ toJSON(steps.retag.outputs) }}"
-          if [ -z "${{ steps.retag.outputs.digest }}" ] || [ "${{ steps.retag.outputs.triggered }}" != "true" ]; then
-            echo "Error!  Verify outputs."
-            exit 1
-          fi
-
   # No attestation, no id-token, no build
   no-attestation:
-    needs: [build]
     name: No Attestation
     permissions:
       attestations: none
@@ -75,12 +48,13 @@ jobs:
       - id: no-attestation
         uses: ./
         with:
-          package: backend
+          package: frontend
+          build_context: frontend
           keep_versions: 10
           repository: bcgov/quickstart-openshift
           tags: ${{ github.event.number }}-no-attestation
           tag_fallback: test
-          triggers: ('backend/')
+          triggers: ('frontend/')
 
       - if: steps.no-attestation.outputs.triggered != 'false'
         run: |
@@ -121,7 +95,7 @@ jobs:
 
   results:
     name: PR Results
-    needs: [advanced, build, no-attestation, retag]
+    needs: [advanced, build, no-attestation]
     if: always()
     runs-on: ubuntu-24.04
     steps:
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 [![MIT License](https://img.shields.io/github/license/bcgov/action-builder-ghcr.svg)](/LICENSE)
 [![Lifecycle](https://img.shields.io/badge/Lifecycle-Experimental-339999)](https://github.com/bcgov/repomountie/blob/master/doc/lifecycle-badges.md)
 
-# Conditional Container Builder with Fallback and Attestations (SBOMs)
+# Conditional Container Builder with Fallback, Attestations and SBOMs (Software Bill of Materials)
 
 This action builds Docker/Podman containers conditionally using a set of directories.  If any files were changed matching that, then build a container.  If those files were not changed, retag an existing build.
 
@@ -72,6 +72,10 @@ Only GitHub Container Registry (ghcr.io) is supported so far.
     # Defaults to the current one
     repository: ${{ github.repository }}
 
+    # SBOM generation is enabled by default as a security best practice
+    # String value, not boolean
+    sbom: 'true'
+
     # Specify token (GH or PAT), instead of inheriting one from the calling workflow
     token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -152,49 +156,39 @@ builds:
 
 ```
 
-# Permissions
+# Security Features
+
+This action provides two key security features: Container Attestations and Software Bill of Materials (SBOM) generation.
 
-It is good practice to set explicit permissions for jobs and workflows. These are applied to the GITHUB_TOKEN. Please see the [GitHub documentation](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token) for more information.
+## Container Attestations
 
-The following permissions are used by this action:
+[Container attestations](https://docs.github.com/en/actions/security-guides/security-hardening-with-openid-connect#about-oidc-and-container-signing) use GitHub's OIDC token to provide cryptographic proof of:
+- Where the container was built (GitHub Actions)
+- When it was built (timestamp)
+- What repository and workflow built it
+- What inputs and environment were used
 
+Attestations require the following permissions:
 ```yaml
 permissions:
   packages: write      # Required for pushing images
-  id-token: write      # Optional: Required for OIDC token generation
-  attestations: write  # Optional: Required for creating attestations
+  id-token: write      # Required for OIDC token generation
+  attestations: write  # Required for creating attestations
 ```
 
-## Container Attestations
-
-This action supports [container attestations](https://docs.github.com/en/actions/security-guides/security-hardening-with-openid-connect#about-oidc-and-container-signing) using GitHub's OIDC token. Attestations provide cryptographic verification of container images, enhancing supply chain security.
+If these permissions are not granted, the action will still build and push images but skip the attestation step.
 
-If the `id-token: write` and `attestations: write` permissions are not granted, the action will still build and push images but will skip the attestation step. This allows the action to work in environments both with and without attestation support.
+## Software Bill of Materials (SBOM)
 
-Example workflow with all permissions enabled:
+This action automatically generates SBOMs for all container builds using [Syft](https://github.com/anchore/syft). SBOMs provide a detailed inventory that includes:
+- All installed packages and their versions
+- Dependencies and their relationships
+- License information
+- Known vulnerabilities
 
-```yaml
-name: Build with Attestations
-
-on:
-  pull_request:
-
-permissions:
-  attestations: write
-  id-token: write
-  packages: write
-
-jobs:
-  build:
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@v4
-      - uses: bcgov/action-builder-ghcr@vX.Y.Z
-        with:
-          package: frontend
-          tag_fallback: test
-          triggers: ('frontend/')
-```
+Two SBOM formats are generated and uploaded as workflow artifacts:
+- CycloneDX JSON
+- SPDX JSON
 
 # Outputs
 
diff --git a/action.yml b/action.yml
@@ -15,6 +15,9 @@ inputs:
     description: Build context, not required for self-contained package/default directory
   build_file:
     description: Dockerfile with path, not required for self-contained package/default directory
+  sbom:
+    default: 'true'
+    description: Generate a Software Bill of Materials (SBOM) for the container image. Enabled by default for better security practices.
   keep_versions:
     description: Number of versions to keep; omit to skip
   tag_fallback:
@@ -182,6 +185,40 @@ runs:
         cache-to: type=gha,mode=max
         build-args: ${{ inputs.build_args }}
 
+    - name: Install Syft
+      if: steps.build.outputs.triggered == 'true' && inputs.sbom == 'true'
+      shell: bash
+      run: |
+        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+    - name: Generate SBOM
+      if: steps.build.outputs.triggered == 'true' && inputs.sbom == 'true'
+      shell: bash
+      run: |
+        # Generate SBOM in both cyclonedx and spdx formats
+        IMAGE="ghcr.io/${{ steps.vars.outputs.repo_lower }}/${{ steps.vars.outputs.package_lower }}@${{ steps.build_and_push.outputs.digest }}"
+        
+        # Create SBOMs directory
+        mkdir -p sboms
+        
+        # Generate CycloneDX SBOM
+        syft packages "$IMAGE" -o cyclonedx-json > "sboms/${{ inputs.package }}-cyclonedx.json"
+        
+        # Generate SPDX SBOM
+        syft packages "$IMAGE" -o spdx-json > "sboms/${{ inputs.package }}-spdx.json"
+        
+        # Upload SBOMs as artifacts
+        echo "sbom_cyclonedx=sboms/${{ inputs.package }}-cyclonedx.json" >> $GITHUB_OUTPUT
+        echo "sbom_spdx=sboms/${{ inputs.package }}-spdx.json" >> $GITHUB_OUTPUT
+
+    - name: Upload SBOMs
+      uses: actions/upload-artifact@v4
+      if: steps.build.outputs.triggered == 'true' && inputs.sbom == 'true'
+      with:
+        name: sboms-${{ inputs.package }}
+        path: sboms/
+        if-no-files-found: error
+
     - name: Check attestation permissions
       id: check_permissions
       if: steps.build.outputs.triggered == 'true'
